For years people have used static passwords to access their systems and data but this security method is no longer considered secure enough protection. One time passwords (OTPs) are a solution to using static passwords and usernames which are at more risk from cracking. Two factor authentication systems use OTP as passwords of this type only allow one authentication attempt so preventing replay attacks on the network. Once a one-time password has been used it cannot be used again.
With a static password the user generally has to remember what value they set (and request a reminder email if they forget) – One Time Passwords can be sent by email but increasingly they are sent as an SMS to the user’s mobile phone, replacing the need for a physical token solution. With multi factor authentication in place there is an additional layer of complexity and using tokens can result in more calls requesting replacements due to loss or other issues. It is important that using a One Time Password solution is easy to manage and easy to set up, by employing the users mobile phone this can make it easier – especially when setting and administering users on the system.
Historically users on a network fail to change their static passwords regularly, store them on the computer in an unencrypted file, share them with others or leave the password cached on their machine – any of these makes it easy for someone to gain password details. The fastest and easiest way to stop replay attacks in a bid to gain unauthorised access is to use One Time Passwords. By only allowing one attempt at authentication OTP prevents repeat access to the network therefore helping to stop unwanted intruders gain access.
By using One Time Passwords on a mobile phone – commonly by way of an app – a user is able to request a new password each time they wish to access the network. This makes using two factor authentication extremely easy for users as they only have to open their smartphone OTP app and generate a new password. A good multi factor authentication system should also be easy to deploy to new users and with smartphone technology the one time password generator should initialise itself and work the very first time a user wishes to authenticate.